Why are non-collision-resistant hash functions considered insecure for signing self-generated informationWhy are hash functions one way? If I know the algorithm, why can't I calculate the input from it?Can a zero knowledge proof of voting be made using a trusted auth server (without client side crypto)?What are the implications of SHA-1 collision for other hash functions like RIPEMD-160?
How do I get a decreased-by-one x in a foreach loop?
How to find out the average duration of the peer-review process for a given journal?
Is there any way to keep a player from killing an NPC?
Thank God it's Friday, tomorrow is THE weekend. Why the definite article?
Why in most German places is the church the tallest building?
What is this symbol: semicircles facing each other?
Is for(( ... )) ... ; a valid shell syntax? In which shells?
How do I, an introvert, communicate to my friend and only colleague, an extrovert, that I want to spend my scheduled breaks without them?
How do you harvest carrots in creative mode?
Antonym of "billable"
What do these triangles above and below the staff mean?
Is it possible to perform a regression where you have an unknown / unknowable feature variable?
What is the difference between Major and Minor Bug?
“T” in subscript in formulas
Ensuring all network services on a device use strong TLS cipher suites
Heyacrazy: Careening
Did a flight controller ever answer Flight with a no-go?
Why does The Ancient One think differently about Doctor Strange in Endgame than the film Doctor Strange?
What would be the challenges to taking off and landing a typical passenger jet at FL300?
Algorithms vs LP or MIP
State-of-the-art algorithms for solving linear programs
Tensorflow - logistic regrssion -oneHot Encoder - Transformed array of differt size for both train and test
What to say to a student who has failed?
If all stars rotate, why was there a theory developed that requires non-rotating stars?
Why are non-collision-resistant hash functions considered insecure for signing self-generated information
Why are hash functions one way? If I know the algorithm, why can't I calculate the input from it?Can a zero knowledge proof of voting be made using a trusted auth server (without client side crypto)?What are the implications of SHA-1 collision for other hash functions like RIPEMD-160?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Let we have a hash function that is second preimage resistant but not collision-resistant.
Then an adversary can create a pair of different messages M and M', M is benign and M' is malicious, for both of which the signature will be valid.
I don't understand why it is an issue in the setting where signatures are used to authenticate origin of data created by the same entity. So if one signs some software he claims "I have created this content myself, if it contains malware, blame me". And for keys: "this public key has a corresponding private key, I have access to it".
If one crafts a collision and signs self-generated data ... he still claims the above statements.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
hash digital-signature code-signing
add a comment |
Let we have a hash function that is second preimage resistant but not collision-resistant.
Then an adversary can create a pair of different messages M and M', M is benign and M' is malicious, for both of which the signature will be valid.
I don't understand why it is an issue in the setting where signatures are used to authenticate origin of data created by the same entity. So if one signs some software he claims "I have created this content myself, if it contains malware, blame me". And for keys: "this public key has a corresponding private key, I have access to it".
If one crafts a collision and signs self-generated data ... he still claims the above statements.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
hash digital-signature code-signing
add a comment |
Let we have a hash function that is second preimage resistant but not collision-resistant.
Then an adversary can create a pair of different messages M and M', M is benign and M' is malicious, for both of which the signature will be valid.
I don't understand why it is an issue in the setting where signatures are used to authenticate origin of data created by the same entity. So if one signs some software he claims "I have created this content myself, if it contains malware, blame me". And for keys: "this public key has a corresponding private key, I have access to it".
If one crafts a collision and signs self-generated data ... he still claims the above statements.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
hash digital-signature code-signing
Let we have a hash function that is second preimage resistant but not collision-resistant.
Then an adversary can create a pair of different messages M and M', M is benign and M' is malicious, for both of which the signature will be valid.
I don't understand why it is an issue in the setting where signatures are used to authenticate origin of data created by the same entity. So if one signs some software he claims "I have created this content myself, if it contains malware, blame me". And for keys: "this public key has a corresponding private key, I have access to it".
If one crafts a collision and signs self-generated data ... he still claims the above statements.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
hash digital-signature code-signing
hash digital-signature code-signing
edited 4 hours ago
KOLANICH
asked 8 hours ago
KOLANICHKOLANICH
5124 silver badges13 bronze badges
5124 silver badges13 bronze badges
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Digital signatures are designed to do three things:
- Ensure the integrity of the data that has been signed
- Create some degree of non-repudiation by the signer
- The purpose you mentioned, which is to authenticate the origin of the message
The biggest issue with hash functions that are susceptible to collisions is that you very quickly lose the first design goal. If two different messages can have the same signature, then you can't know which are genuine.
So, what's the big deal if I can sign two different messages with the same signature? You still know they both came from me and can hold me accountable, right? Well, perhaps. There are certainly some cases where this can be abused, but we're going to ignore them because they aren't the real issue. The real issue is where you can craft two messages that will have the same signature and the submit one of the for someone else to sign.
The canonical example here is a x.509 (SSL/TLS) certificate request. In this case, a poorly designed certificate signing process can be leveraged to induce a Certificate Authority to sign a certificate for one subject or with one set of properties (like an end-entity certificate), only to have the signature collide with the signature for a second certificate also generated by the attackers that would not have been issued for a subject the attackers don't control, or a CA cert, and that rouge cert can now benefit from the perfectly valid signature associated with first, benign certificate.
add a comment |
Xander's answer is fundamentally correct: the issue is getting someone else to sign a benign message and use the signature for the malicious one. It is worth noting that although when you make a collision you don't get to decide on the messages directly, you often do get to decide on part of the message. For example I couldn't persuade you to sign "My name is KOLANICH" and swap it for "My name is Josiah": the hashes are vanishingly unlikely to match. However I might be able to get you to sign "Please pay account number X $50 for shoes with reference code ZZZZZZZZZZ." and then replace it with "Please pay account number X $50000 with reference code YYYYYYYYYY." In this scenario I choose whichever Y and Z I need to get the collision.
An additional reason that they are considered insecure is a canary in a coal mine situation. It is easier to find a collision than to find a second preimage; strictly so because if you had a second preimage attack you automatically have a collision, but not vice versa. However, even though having a technique for finding a collision doesn't directly give you second preimages, it does suggest that there is some regularity to the hash function that is likely to surface vulnerabilities which would with further research allow finding preimages.
add a comment |
Well, in theory you would be right. In some very specific cases those hashes would not be completely broken.
However, you would need to be extra cautious, and supposedly some "self-generated" data could actually be insecure. Would you consider the check's written by the accountant to be self-generated by the accountant? Apparently yes, but it actually contains externally controlled data that could be used to produce a signature of a different content.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
You don't really verify self-signed certificates, so you could ignore the hash function used.
On the other hand, I wouldn't consider it secure for code signing. You are probably using external libraries, so a third party could have prepared a library that, when compiled, allowed it to replace a block of code with a malicious one that collides with it.
Please note that although in some specific cases a "broken hash" may work, given that we have perfectly fine non-broken hash functions, that don't need such careful detail, it is much better to use them when possible.
And finally, do remember attacks only get worse with time. The security margin of that function is much severed than of collision resistant ones. An attack that one day seemed unfeasible, or a hash function that was "only" not collision-resistant, not-too-long after may be further broken with a new discovery, forcing you to need to change it real quick.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215836%2fwhy-are-non-collision-resistant-hash-functions-considered-insecure-for-signing-s%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Digital signatures are designed to do three things:
- Ensure the integrity of the data that has been signed
- Create some degree of non-repudiation by the signer
- The purpose you mentioned, which is to authenticate the origin of the message
The biggest issue with hash functions that are susceptible to collisions is that you very quickly lose the first design goal. If two different messages can have the same signature, then you can't know which are genuine.
So, what's the big deal if I can sign two different messages with the same signature? You still know they both came from me and can hold me accountable, right? Well, perhaps. There are certainly some cases where this can be abused, but we're going to ignore them because they aren't the real issue. The real issue is where you can craft two messages that will have the same signature and the submit one of the for someone else to sign.
The canonical example here is a x.509 (SSL/TLS) certificate request. In this case, a poorly designed certificate signing process can be leveraged to induce a Certificate Authority to sign a certificate for one subject or with one set of properties (like an end-entity certificate), only to have the signature collide with the signature for a second certificate also generated by the attackers that would not have been issued for a subject the attackers don't control, or a CA cert, and that rouge cert can now benefit from the perfectly valid signature associated with first, benign certificate.
add a comment |
Digital signatures are designed to do three things:
- Ensure the integrity of the data that has been signed
- Create some degree of non-repudiation by the signer
- The purpose you mentioned, which is to authenticate the origin of the message
The biggest issue with hash functions that are susceptible to collisions is that you very quickly lose the first design goal. If two different messages can have the same signature, then you can't know which are genuine.
So, what's the big deal if I can sign two different messages with the same signature? You still know they both came from me and can hold me accountable, right? Well, perhaps. There are certainly some cases where this can be abused, but we're going to ignore them because they aren't the real issue. The real issue is where you can craft two messages that will have the same signature and the submit one of the for someone else to sign.
The canonical example here is a x.509 (SSL/TLS) certificate request. In this case, a poorly designed certificate signing process can be leveraged to induce a Certificate Authority to sign a certificate for one subject or with one set of properties (like an end-entity certificate), only to have the signature collide with the signature for a second certificate also generated by the attackers that would not have been issued for a subject the attackers don't control, or a CA cert, and that rouge cert can now benefit from the perfectly valid signature associated with first, benign certificate.
add a comment |
Digital signatures are designed to do three things:
- Ensure the integrity of the data that has been signed
- Create some degree of non-repudiation by the signer
- The purpose you mentioned, which is to authenticate the origin of the message
The biggest issue with hash functions that are susceptible to collisions is that you very quickly lose the first design goal. If two different messages can have the same signature, then you can't know which are genuine.
So, what's the big deal if I can sign two different messages with the same signature? You still know they both came from me and can hold me accountable, right? Well, perhaps. There are certainly some cases where this can be abused, but we're going to ignore them because they aren't the real issue. The real issue is where you can craft two messages that will have the same signature and the submit one of the for someone else to sign.
The canonical example here is a x.509 (SSL/TLS) certificate request. In this case, a poorly designed certificate signing process can be leveraged to induce a Certificate Authority to sign a certificate for one subject or with one set of properties (like an end-entity certificate), only to have the signature collide with the signature for a second certificate also generated by the attackers that would not have been issued for a subject the attackers don't control, or a CA cert, and that rouge cert can now benefit from the perfectly valid signature associated with first, benign certificate.
Digital signatures are designed to do three things:
- Ensure the integrity of the data that has been signed
- Create some degree of non-repudiation by the signer
- The purpose you mentioned, which is to authenticate the origin of the message
The biggest issue with hash functions that are susceptible to collisions is that you very quickly lose the first design goal. If two different messages can have the same signature, then you can't know which are genuine.
So, what's the big deal if I can sign two different messages with the same signature? You still know they both came from me and can hold me accountable, right? Well, perhaps. There are certainly some cases where this can be abused, but we're going to ignore them because they aren't the real issue. The real issue is where you can craft two messages that will have the same signature and the submit one of the for someone else to sign.
The canonical example here is a x.509 (SSL/TLS) certificate request. In this case, a poorly designed certificate signing process can be leveraged to induce a Certificate Authority to sign a certificate for one subject or with one set of properties (like an end-entity certificate), only to have the signature collide with the signature for a second certificate also generated by the attackers that would not have been issued for a subject the attackers don't control, or a CA cert, and that rouge cert can now benefit from the perfectly valid signature associated with first, benign certificate.
answered 8 hours ago
XanderXander
33.8k12 gold badges102 silver badges128 bronze badges
33.8k12 gold badges102 silver badges128 bronze badges
add a comment |
add a comment |
Xander's answer is fundamentally correct: the issue is getting someone else to sign a benign message and use the signature for the malicious one. It is worth noting that although when you make a collision you don't get to decide on the messages directly, you often do get to decide on part of the message. For example I couldn't persuade you to sign "My name is KOLANICH" and swap it for "My name is Josiah": the hashes are vanishingly unlikely to match. However I might be able to get you to sign "Please pay account number X $50 for shoes with reference code ZZZZZZZZZZ." and then replace it with "Please pay account number X $50000 with reference code YYYYYYYYYY." In this scenario I choose whichever Y and Z I need to get the collision.
An additional reason that they are considered insecure is a canary in a coal mine situation. It is easier to find a collision than to find a second preimage; strictly so because if you had a second preimage attack you automatically have a collision, but not vice versa. However, even though having a technique for finding a collision doesn't directly give you second preimages, it does suggest that there is some regularity to the hash function that is likely to surface vulnerabilities which would with further research allow finding preimages.
add a comment |
Xander's answer is fundamentally correct: the issue is getting someone else to sign a benign message and use the signature for the malicious one. It is worth noting that although when you make a collision you don't get to decide on the messages directly, you often do get to decide on part of the message. For example I couldn't persuade you to sign "My name is KOLANICH" and swap it for "My name is Josiah": the hashes are vanishingly unlikely to match. However I might be able to get you to sign "Please pay account number X $50 for shoes with reference code ZZZZZZZZZZ." and then replace it with "Please pay account number X $50000 with reference code YYYYYYYYYY." In this scenario I choose whichever Y and Z I need to get the collision.
An additional reason that they are considered insecure is a canary in a coal mine situation. It is easier to find a collision than to find a second preimage; strictly so because if you had a second preimage attack you automatically have a collision, but not vice versa. However, even though having a technique for finding a collision doesn't directly give you second preimages, it does suggest that there is some regularity to the hash function that is likely to surface vulnerabilities which would with further research allow finding preimages.
add a comment |
Xander's answer is fundamentally correct: the issue is getting someone else to sign a benign message and use the signature for the malicious one. It is worth noting that although when you make a collision you don't get to decide on the messages directly, you often do get to decide on part of the message. For example I couldn't persuade you to sign "My name is KOLANICH" and swap it for "My name is Josiah": the hashes are vanishingly unlikely to match. However I might be able to get you to sign "Please pay account number X $50 for shoes with reference code ZZZZZZZZZZ." and then replace it with "Please pay account number X $50000 with reference code YYYYYYYYYY." In this scenario I choose whichever Y and Z I need to get the collision.
An additional reason that they are considered insecure is a canary in a coal mine situation. It is easier to find a collision than to find a second preimage; strictly so because if you had a second preimage attack you automatically have a collision, but not vice versa. However, even though having a technique for finding a collision doesn't directly give you second preimages, it does suggest that there is some regularity to the hash function that is likely to surface vulnerabilities which would with further research allow finding preimages.
Xander's answer is fundamentally correct: the issue is getting someone else to sign a benign message and use the signature for the malicious one. It is worth noting that although when you make a collision you don't get to decide on the messages directly, you often do get to decide on part of the message. For example I couldn't persuade you to sign "My name is KOLANICH" and swap it for "My name is Josiah": the hashes are vanishingly unlikely to match. However I might be able to get you to sign "Please pay account number X $50 for shoes with reference code ZZZZZZZZZZ." and then replace it with "Please pay account number X $50000 with reference code YYYYYYYYYY." In this scenario I choose whichever Y and Z I need to get the collision.
An additional reason that they are considered insecure is a canary in a coal mine situation. It is easier to find a collision than to find a second preimage; strictly so because if you had a second preimage attack you automatically have a collision, but not vice versa. However, even though having a technique for finding a collision doesn't directly give you second preimages, it does suggest that there is some regularity to the hash function that is likely to surface vulnerabilities which would with further research allow finding preimages.
edited 6 hours ago
answered 7 hours ago
JosiahJosiah
9505 silver badges11 bronze badges
9505 silver badges11 bronze badges
add a comment |
add a comment |
Well, in theory you would be right. In some very specific cases those hashes would not be completely broken.
However, you would need to be extra cautious, and supposedly some "self-generated" data could actually be insecure. Would you consider the check's written by the accountant to be self-generated by the accountant? Apparently yes, but it actually contains externally controlled data that could be used to produce a signature of a different content.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
You don't really verify self-signed certificates, so you could ignore the hash function used.
On the other hand, I wouldn't consider it secure for code signing. You are probably using external libraries, so a third party could have prepared a library that, when compiled, allowed it to replace a block of code with a malicious one that collides with it.
Please note that although in some specific cases a "broken hash" may work, given that we have perfectly fine non-broken hash functions, that don't need such careful detail, it is much better to use them when possible.
And finally, do remember attacks only get worse with time. The security margin of that function is much severed than of collision resistant ones. An attack that one day seemed unfeasible, or a hash function that was "only" not collision-resistant, not-too-long after may be further broken with a new discovery, forcing you to need to change it real quick.
add a comment |
Well, in theory you would be right. In some very specific cases those hashes would not be completely broken.
However, you would need to be extra cautious, and supposedly some "self-generated" data could actually be insecure. Would you consider the check's written by the accountant to be self-generated by the accountant? Apparently yes, but it actually contains externally controlled data that could be used to produce a signature of a different content.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
You don't really verify self-signed certificates, so you could ignore the hash function used.
On the other hand, I wouldn't consider it secure for code signing. You are probably using external libraries, so a third party could have prepared a library that, when compiled, allowed it to replace a block of code with a malicious one that collides with it.
Please note that although in some specific cases a "broken hash" may work, given that we have perfectly fine non-broken hash functions, that don't need such careful detail, it is much better to use them when possible.
And finally, do remember attacks only get worse with time. The security margin of that function is much severed than of collision resistant ones. An attack that one day seemed unfeasible, or a hash function that was "only" not collision-resistant, not-too-long after may be further broken with a new discovery, forcing you to need to change it real quick.
add a comment |
Well, in theory you would be right. In some very specific cases those hashes would not be completely broken.
However, you would need to be extra cautious, and supposedly some "self-generated" data could actually be insecure. Would you consider the check's written by the accountant to be self-generated by the accountant? Apparently yes, but it actually contains externally controlled data that could be used to produce a signature of a different content.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
You don't really verify self-signed certificates, so you could ignore the hash function used.
On the other hand, I wouldn't consider it secure for code signing. You are probably using external libraries, so a third party could have prepared a library that, when compiled, allowed it to replace a block of code with a malicious one that collides with it.
Please note that although in some specific cases a "broken hash" may work, given that we have perfectly fine non-broken hash functions, that don't need such careful detail, it is much better to use them when possible.
And finally, do remember attacks only get worse with time. The security margin of that function is much severed than of collision resistant ones. An attack that one day seemed unfeasible, or a hash function that was "only" not collision-resistant, not-too-long after may be further broken with a new discovery, forcing you to need to change it real quick.
Well, in theory you would be right. In some very specific cases those hashes would not be completely broken.
However, you would need to be extra cautious, and supposedly some "self-generated" data could actually be insecure. Would you consider the check's written by the accountant to be self-generated by the accountant? Apparently yes, but it actually contains externally controlled data that could be used to produce a signature of a different content.
So should such hash functions be considered secure for things like self-signed certificates and code signing?
You don't really verify self-signed certificates, so you could ignore the hash function used.
On the other hand, I wouldn't consider it secure for code signing. You are probably using external libraries, so a third party could have prepared a library that, when compiled, allowed it to replace a block of code with a malicious one that collides with it.
Please note that although in some specific cases a "broken hash" may work, given that we have perfectly fine non-broken hash functions, that don't need such careful detail, it is much better to use them when possible.
And finally, do remember attacks only get worse with time. The security margin of that function is much severed than of collision resistant ones. An attack that one day seemed unfeasible, or a hash function that was "only" not collision-resistant, not-too-long after may be further broken with a new discovery, forcing you to need to change it real quick.
answered 2 hours ago
ÁngelÁngel
10.9k2 gold badges16 silver badges42 bronze badges
10.9k2 gold badges16 silver badges42 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215836%2fwhy-are-non-collision-resistant-hash-functions-considered-insecure-for-signing-s%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown